Virtualization showdown at Black Hat conference
Next week at the Black Hat conference in Las Vegas, security
researcher Joanna Rutkowska promises to demonstrate how a malicious
attacker, working remotely, could take control of the open-source
Xen virtualization software.
If successful, Rutkowska and her team will be the first
researchers to demonstrate how to compromise a Xen hypervisor, that
crucial layer of virtualization software underneath all the
virtualized environments running on a machine, one that provides
direct connections to the processor, memory and hardware
devices.
"Many people [have] argued that having a legitimate hypervisor
installed prevents installation of virtualization-based malware. We
will show that this is not the case," she e-mailed.
For the conference, Rutkowska will oversee three presentations , which will be given by
herself, Rafal Wojtczuk and Alex Tereshkin. In addition to showing
how to install the rootkit, they also plan to show how someone
could bypass the security monitoring mechanisms that would normally
detect such an attack. Finally, and perhaps most importantly, they
will show how users could prevent such attacks.
Citrix system chief security strategist Kurt Roemer expects
Rutkowska's disclosure will generate more publicity than prove to
be a serious threat to operating instances of the software. He
likens it to "sensationalist attacks," that frequently are weighed
against virtualization software. Citrix offers a
commercially-supported version of Xen.
Roemer has not seen Rutkowska's presentation, but he does point
out that the attack will probably rely upon the attacker having
root access to the server running Xen. "That's not a normal model,"
he noted.
Rutkowska confirmed that root access is needed. Much like root
access is needed to install a root kit on a server, so too will
administrative access be needed to breech Xen. Rutkowska argued,
however, that her work is still important.
"Years ago other vendors tried to downplay the importance of ...
[Microsoft] Windows kernel rootkits, saying that one needed to
already be an administrator in order to install one. As we know,
over the last couple of years, kernel rootkits became a very
serious security problem," she e-mailed.
The attack requires taking control of the Xen master domain,
called Domain 0.
Within Xen, each virtualized environment is given its own space
in memory, called a domain. In addition to these user domains
(called Dom-U's), there is also a domain, called Domain 0, which is
a privileged domain used for controlling the whole Xen system. "It
is automatically created when the system boots and does a lot of
the management of the system. It builds all of the other user
domains and manages all of their virtual devices," Roemer said.
"The subverting techniques we will be presenting at Black Hat
indeed assume that the attacker first obtained access to Domain 0,"
Rutkowska e-mailed. She brushed off that this would be a serious
challenge, though. "Domain 0, being an administrative domain,
requires certain services to be run inside it. One such service is
[a Secure Shell] daemon. This makes the attack surface on Domain 0
quite large."
Increasingly over the past few years, security researchers and
malicious have sought ways for users to break into the Domain 0
from a virtualized environment.
In December, McAfee researcher found that a file system utility,
called e2fsprogs, that could allow a guest user to manipulate a boot partition in such a way that a
malicious command could be passed from the guest machine to the
host machine.
"Over the last year, it has been shown that Domain 0 is far from
being bulletproof,” she said in an e-mail. “With our
presentations, we take the game to the new level by studying how to
compromise the hypervisor and what we can do to prevent
it.”
The researchers promise to show how a user can bootstrap up from
Domain 0 into the hypervisor itself.
Roemer downplayed the impact of Xen’s security
vulnerabilities, noting that those found so far have been only in
versions of the software under development. They were found, and
fixed, in the developmental open-source versions of the software,
Roemer said. “Published Xen is configured in a secure
way,” he said.
Moreover, recent versions of Xen have guards in place to protect
the hypervisor even from actions within Domain 0, involving the use
of input/output memory management unit (IOMMU) found on newer
peripheral devices such as network cards.
These initiatives do not seem to intimidate the researchers
though.
"We will show how to bypass those protections and subvert Xen
hypervisor memory," Rutkowska promised.
This is not Rutkowska's first brush with controversy within the
emerging practice of virtualizationsecurity. At the 2006 Black Hat conference, she introduced
what she called a virtualization rootkit, one dubbed Blue Pill. According to
Rutkowska, Blue Pill could encapsulate an entire operating
environment within a virtualized container, while offering the user
no clue that the environment is actually under control by another
party.
"We're going to see how it is presented,” Roemer said.
“She's done some really cool stuff in the past, but in this
case I don't see this applying to all of Xen.”